?
Solved

IIS 6.0 Win2003 Server asp login & security

Posted on 2004-09-20
6
Medium Priority
?
319 Views
Last Modified: 2009-07-29
I'm looking for a full working example, or even a purchased product, that will -

Have a login.asp page containing 2 text boxes (username & password). User submits page to authenticatepage.asp, where a database is searched to determine if it is a valid username & pwd. Depending on the username, a specific asp page will be opened. I need to use session objects (I think) since I cannot have the user bookmark the page and return to it without going through the logIn page.

Some of the pages for the user are asp and others are html.

Thanks

0
Comment
Question by:Malek103197
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 31

Expert Comment

by:alorentz
ID: 12101639
What do you want?  This site is to help with problems....not write code for you.
0
 
LVL 2

Expert Comment

by:Coolhand2120
ID: 12102201
Make an HTML page with the two text inputs (username & password) and a submit button.  Then in the form tag in the action property (<form action="****" where *** is your submit page).  This will send the user to this page when they click submit.  You'll need to connect to a database and because you don't specify what kind of database you wish to use, even if EE did write code for you....  Then you can use response.redirect to point the user to the 'logged on' page or the 'not logged on' page.

ANYHOW if you do know what your database is post it and I'll help with HOW to do it.  I'm totaly willing to spend an absurd amout of time teaching you how to create this.

I'd suggest using cookies, session objects are slow and unwieldy.
Don't forget !  Your in the ASP section of EE so we are assuming your using ASP and a server that can use ASP.
If you have no clue what I'm talking about, hire someone that does, you shouldn't be doing this.
Even if you purchse a program you'll still need to pruchase a database (SQL, Access etc.).

-Coolhand2120
0
 

Author Comment

by:Malek103197
ID: 12103111
Ok, I'm trying to make sense of this script...

The way interpret it, is that when a page is opened and there is not a session UID, the the user will be directed to the logIn page, but I'm not clear on what the author refers to HTTP_REFERRER.
Need a bit of help understanding this script.

Thanks

Every Page
The script is implemented by including the following code above the <html> tag of every page;

<%
Dim HTTP_REFERRER
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
If Not(IsObject(Session("UID"))) Then
If Session("UID") = "" Then
HTTP_REFERRER = Request.ServerVariables("URL")
If Request.QueryString <> "" Then HTTP_REFERRER = HTTP_REFERRER & "?" & Request.QueryString
Response.Redirect "login.asp?HTTP_REFERRER=" & Server.URLEncode(HTTP_REFERRER)
End If
End If
%>



Login.asp -
Script
If the script on the requested page determines that the UID session variable has not been set, the users is redirected to the login page. The login page contains the following code above the <html> tag;

<%
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
Dim HTTP_REFERRER, UserObject
Status = "Please log in."
HTTP_REFERRER = Request("HTTP_REFERRER")
If Request.Form("username") <> "" Then
If Login Then
Session("UID") = UserObject.Item("username")
'Set Session("UID") = UserObject
If HTTP_REFERRER  = "" Then
Response.Redirect "default.htm"
Else
Response.Redirect HTTP_REFERRER
End If
Else
Status = "Invalid Login... Please Try Again."
End If
End If

Function Login
Dim conn, rs, sql, dbFIle
dbFile = "login.mdb"
Set conn = Server.CreateObject("ADODB.Connection")
conn.open "driver={Microsoft Access Driver (*.mdb)};dbq=" & Server.MapPath(dbFile) & ";"
Set rs = Server.CreateObject("ADODB.Recordset")
sql = "SELECT * FROM users WHERE username = '" &
 Request.Form("Username") & "' AND password = '" & Request.Form("Password")& "'"
rs.Open sql, conn, 3, 3
If Not rs.EOF Then
Set UserObject = CreateObject("Scripting.Dictionary")
For each field in rs.Fields
UserObject.Add field.name, field.value
Next
Login = True
Else
Login = False
End If
rs.Close
set rs = nothing
conn.Close
set conn = nothing
End Function
%>
<html>
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 2

Accepted Solution

by:
Coolhand2120 earned 1000 total points
ID: 12106800
Wow... well I can tell you that this is an odd script.  HTTP_REFERER is very very unreliable, %50 of the time it dosen't work.  It's supposed to return the URL of the page that sent the user to the current page.  If you want to put the user back to the page they just came from I'd use client side javascript location.history.  But I don't think you're intrested in this.

THIS:

<%
Dim HTTP_REFERRER
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
If Not(IsObject(Session("UID"))) Then
If Session("UID") = "" Then
HTTP_REFERRER = Request.ServerVariables("URL")
If Request.QueryString <> "" Then HTTP_REFERRER = HTTP_REFERRER & "?" & Request.QueryString
Response.Redirect "login.asp?HTTP_REFERRER=" & Server.URLEncode(HTTP_REFERRER)
End If
End If
%>


would be easier if it said:

<%

if request.cookies("userID") <> "" then
  userID = request.cookies("userID")
else
  response.redirect "logon.asp"
end if

%>



This:

<%
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
Dim HTTP_REFERRER, UserObject
Status = "Please log in."
HTTP_REFERRER = Request("HTTP_REFERRER")
If Request.Form("username") <> "" Then
If Login Then
Session("UID") = UserObject.Item("username")
'Set Session("UID") = UserObject
If HTTP_REFERRER  = "" Then
Response.Redirect "default.htm"
Else
Response.Redirect HTTP_REFERRER
End If
Else
Status = "Invalid Login... Please Try Again."
End If
End If

Function Login
Dim conn, rs, sql, dbFIle
dbFile = "login.mdb"
Set conn = Server.CreateObject("ADODB.Connection")
conn.open "driver={Microsoft Access Driver (*.mdb)};dbq=" & Server.MapPath(dbFile) & ";"
Set rs = Server.CreateObject("ADODB.Recordset")
sql = "SELECT * FROM users WHERE username = '" &
 Request.Form("Username") & "' AND password = '" & Request.Form("Password")& "'"
rs.Open sql, conn, 3, 3
If Not rs.EOF Then
Set UserObject = CreateObject("Scripting.Dictionary")
For each field in rs.Fields
UserObject.Add field.name, field.value
Next
Login = True
Else
Login = False
End If
rs.Close
set rs = nothing
conn.Close
set conn = nothing
End Function
%>


Would be easier if it said:
Your logon.asp page should have this script at the top

<%
if request.form("Username") <> "" then

'This block below will connect to your database to look up stuff
 Set rs = Server.CreateObject("ADODB.Recordset")
 rs.ActiveConnection = "driver={Microsoft Access Driver (*.mdb)};dbq=" & Server.MapPath("login.mdb") & ";"
 rs.Source = "Select * from users where username = '" & request.form("username") & "' and password = '" & request.form("password") & "'"
 rs.CursorType = 0
 rs.CursorLocation = 2
 rs.LockType = 1
 rs.Open()

  'If the recordset was empty (no matching username / password)
 if rs.eof or rs.bof then
   response.redirect "logon.asp?badpassword=1"    'This is where it would send users that type bad u/p
 else
   response.cookies("userID") = request.form("username")   'this sets the username into a cookie called "userID" which you can check later and see if its empty or not
   response.redirect "default.asp"  'Redirect to wherever you want to put the user after they logon correctly
 end if

'Clean up DB connection objects

  rs.close
  set rs = nothing

end if
%>

logon.asp should have this after the asp part:

<form method="post" action="logon.asp">

<input name="username" type="text">
<input name="password" type="password">
<input type="submit">

</form>

Sorry I pretty much rewrote your script there, if you still have probelms just post again!

-Coolhand2120
0
 

Author Comment

by:Malek103197
ID: 12112242
Thanks Coolhand2120, that is a lot simpler and very understandable.
0
 
LVL 2

Expert Comment

by:Coolhand2120
ID: 12112668
NP.  Let me know if it works out for you.

-Coolhand2120
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question